problem with FTP

Discussion in 'Cisco' started by Brian Bergin, Jul 22, 2005.

  1. Brian Bergin

    Brian Bergin Guest

    Seems to be my day for Cisco related issues. At new location of ours (inherited
    from another company) running a 2620 on 12.3(10) I'm unable to FTP from any of
    their workstations. I can get to sites, but I cannot pull a dir listing of any
    site. Doesn't seem to matter if the site is Linux or Microsoft, large company
    (Symantec) or small (ours), I cannot pull a directory listing.

    I am able to login to the server and I see command confirmations when I issue
    things like binary <enter> and cd <enter> but not anything else.

    This office has T1. If I replace the 2620 with a 1710 with a generic T1 config
    (ISP IP on the serial side and ISP provided IP on the ethernet0/0 side) and
    using a Linksys BEFSX41 for the "firewall" I'm able to FTP with no problem so
    I've got to have something wrong in my config. Here's the config:

    Current configuration : 3774 bytes
    !
    version 12.3
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname MattosLorton
    !
    boot-start-marker
    boot system flash c2600-i-mz.12310.bin
    boot-end-marker
    !
    logging rate-limit console 1000
    no logging console
    enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
    enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    !
    clock timezone EST -5
    clock summer-time EST recurring
    no aaa new-model
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    no ip domain lookup
    ip domain name XXXXXXXXXXXXXXXXXXXX
    ip name-server 205.171.3.65
    ip dhcp excluded-address 192.168.101.101 192.168.101.254
    !
    ip dhcp pool 1
    network 192.168.101.0 255.255.255.0
    default-router 192.168.101.254
    dns-server 205.171.3.65
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description connected to EthernetLAN
    ip address 192.168.101.254 255.255.255.0
    ip access-group 100 in
    ip nat inside
    speed 100
    full-duplex
    !
    interface Serial0/0
    description connected to Internet
    ip address 1.2.3.218 255.255.255.252
    ip access-group 101 in
    no ip unreachables
    ip nat outside
    no fair-queue
    service-module t1 timeslots 1-24
    service-module t1 remote-alarm-enable
    !
    router rip
    version 2
    passive-interface Serial0/0
    network 67.0.0.0
    no auto-summary
    !
    ip nat inside source list 1 interface Serial0/0 overload
    ip nat inside source static 192.168.101.101 4.5.6.32
    ip nat inside source static 192.168.101.102 4.5.6.33
    ip nat inside source static 192.168.101.103 4.5.6.34
    ip nat inside source static 192.168.101.104 4.5.6.35
    ip nat inside source static 192.168.101.105 4.5.6.36
    ip nat inside source static 192.168.101.106 4.5.6.37
    no ip http server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0
    !
    !
    access-list 1 permit 192.168.101.0 0.0.0.255
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 permit ip any any log
    access-list 101 permit tcp any any established
    access-list 101 permit udp any eq domain any log
    access-list 101 permit icmp any any echo-reply log
    access-list 101 permit icmp any any time-exceeded log
    access-list 101 permit icmp any any port-unreachable log
    access-list 101 permit udp any eq domain any
    access-list 101 permit gre any any
    access-list 101 deny ip host 4.5.6.32 any
    access-list 101 deny ip host 4.5.6.33 any
    access-list 101 deny ip host 4.5.6.34 any
    access-list 101 deny ip host 4.5.6.35 any
    access-list 101 deny ip host 4.5.6.36 any
    access-list 101 deny ip host 4.5.6.37 any
    access-list 101 permit tcp any host 4.5.6.32 eq 3389
    access-list 101 permit udp any host 4.5.6.32 eq 5901
    access-list 101 deny ip any host 4.5.6.32
    access-list 101 permit tcp any host 4.5.6.33 eq 3389
    access-list 101 permit udp any host 4.5.6.33 eq 5902
    access-list 101 deny ip any host 4.5.6.33
    access-list 101 deny ip any host 4.5.6.34
    access-list 101 permit tcp any host 4.5.6.35 eq 3389
    access-list 101 permit udp any host 4.5.6.35 eq 5904
    access-list 101 deny ip any host 4.5.6.35
    access-list 101 permit tcp any host 4.5.6.36 eq 3389
    access-list 101 permit udp any host 4.5.6.36 eq 5905
    access-list 101 deny ip any host 4.5.6.36
    access-list 101 permit tcp any host 4.5.6.37 eq 3389
    access-list 101 permit udp any host 4.5.6.37 eq 5906
    access-list 101 deny ip any host 4.5.6.37
    snmp-server community XXXXXXXXXXXXX RO
    snmp-server enable traps tty
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 XXXXXXXXXXXXXXXXXXXXXXx
    login


    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.
     
    Brian Bergin, Jul 22, 2005
    #1
    1. Advertisements

  2. By default, FTP data connections are initiated by the server connecting
    back to the client, but your ACL 101 doesn't allow incoming TCP
    connections. If you configure your clients to use passive FTP it should
    work, though.
    Is there supposed to be a pair of permits for 3389 and 5902 for 4.5.6.34
    here, like the other addresses?
    You might want to put:

    access-list 101 deny ip any any log

    at the end, at least when you're troubleshooting filter problems. This
    will show how you're interfering with the application.
     
    Barry Margolin, Jul 22, 2005
    #2
    1. Advertisements

  3. Brian Bergin

    Brian Bergin Guest

    |By default, FTP data connections are initiated by the server connecting
    |back to the client, but your ACL 101 doesn't allow incoming TCP
    |connections. If you configure your clients to use passive FTP it should
    |work, though.

    I need to be able to use ftp.exe which I don't think supports passive mode. How
    can I fix the ACL 101 to allow this?

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.

    NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
     
    Brian Bergin, Jul 22, 2005
    #3
  4. access-list 101 permit tcp any eq ftp-data any gt 1023
     
    Barry Margolin, Jul 22, 2005
    #4
  5. Brian Bergin

    Brian Bergin Guest

    |access-list 101 permit tcp any eq ftp-data any gt 1023

    Thanks! I'll add it today.

    Thanks...
    Brian Bergin

    I can be reached via e-mail at
    cisco_dot_news_at_comcept_dot_net.

    Please post replies to the group so all may benefit.

    NOTICE: Use of this information is contingent upon acceptance of Paragraph 17 of Terabyte's Terms and conditions located at http://terabyte.net/terms.htm#postings.
     
    Brian Bergin, Jul 22, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.